CVE-2024-47947 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Scan2Net product by Image Access GmbH. The vulnerability arises from improper input sanitization in the 'Edit Disclaimer Text' configuration function, which is accessible only to users with Poweruser or Admin privileges. This function is reachable via a specific URL endpoint on the scanner device's web interface. An attacker with these privileges can inject arbitrary JavaScript code into the disclaimer text, which is then stored and executed every time the ScanWizard interface is loaded, including in kiosk mode browsers. This persistent XSS flaw allows the execution of malicious scripts in the context of other users’ browsers, potentially enabling session hijacking, unauthorized actions, or the theft of sensitive information accessible through the web interface. The vulnerability has a CVSS 3.1 base score of 4.7, indicating medium severity, with an attack vector of network (remote), low attack complexity, no privileges required (PR:N) but user interaction needed (UI:R), and a scope change (S:C). However, the description states that only Poweruser or Admin roles can access the vulnerable function, implying that some level of authentication and privilege is required. No patches or known exploits have been reported yet. The vulnerability’s impact is limited to integrity since confidentiality and availability are not affected. The flaw is significant because the injected script executes automatically on interface load, increasing the risk of persistent exploitation in environments where multiple administrators or power users access the device.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of Scan2Net device management interfaces. If exploited, attackers with administrative credentials could inject malicious scripts that execute in other administrators’ browsers, potentially leading to session hijacking, unauthorized configuration changes, or the spread of malware within the management network. Although confidentiality and availability are not directly impacted, the ability to run arbitrary scripts undermines trust in device management and could facilitate further attacks. Organizations relying on Scan2Net devices for document scanning and workflow automation, especially in sectors like government, finance, and healthcare where document integrity is critical, may face operational disruptions or compliance issues if attackers manipulate device settings or intercept administrative sessions. The requirement for elevated privileges limits the attack surface, but insider threats or compromised credentials could enable exploitation. The kiosk mode execution increases risk in shared or public environments where the device interface is exposed to multiple users.

European organizations using Scan2Net devices should implement the following mitigations: 1) Restrict access to the 'Edit Disclaimer Text' function strictly to trusted administrators and monitor usage logs for suspicious activity. 2) Enforce strong authentication mechanisms and regularly rotate administrative credentials to reduce the risk of compromised accounts. 3) Disable or limit kiosk mode usage in environments where untrusted users have physical or network access to the device. 4) Implement network segmentation to isolate Scan2Net devices from broader administrative networks to contain potential exploitation. 5) Employ web application firewalls (WAFs) or intrusion detection systems (IDS) to detect and block malicious payloads targeting the vulnerable endpoint. 6) Regularly review and sanitize all user inputs in device management interfaces, and advocate for vendor patches or updates addressing this vulnerability. 7) Educate administrators about the risks of stored XSS and the importance of cautious input handling. 8) If possible, use alternative scanning solutions until a vendor patch is available to eliminate the vulnerability.